GNAP Interim

Date: 2022-01-20

Draft Updates

Presented by: Justin Richer

Note taker: Aaron Parecki

Slides

Questions

Slides

Yaron: What's the right venue to talk about implementations ahead of the hackathon?

Justin: I will start a thread on the GNAP mailing list

Interactive requests in support of W3C VC API

Presented by: Dmitry Zagidulin

Note taker: Justin Richer

Interactive workflow in VC API (w3c work)
- Verifiable Credentials
- Digital wallets for EDU

Inspired by GNAP's interaction methods, want to see what the overlap is

Use cases:

  1. We had expiring credentials in the wallet, needed to refresh them. Needed to send an existing credential plus some prereqs to get a new one.
  2. Needed to carry prerequs (like an access token (from OIDC)) to get a new VC

looked at OIDC, GNAP, WACKI (?)

Looked for support to fulfill prereqs:
- "I received this request but need something else from you"
- looked at GNAP's interact/continue model

VC re-issue workflow:

Reminds me of GNAP!

Instead of just submitting the old token for refresh, could we allow submission of additional prerequisites?

2: issue a VC with prereqs

question to GNAP WG: can we use interact start/finish to model the server endpoint?

Justin: great writeup. This aligns well with the token rotation discussion. This sounds more like a grant update, "I want a new thing, you're going to require something else from me". It's not the same as rotating an access token, also because you're not issued an access token, you're issued a credential. The main divergence is how this all starts. In GNAP you start with an HTTP Post. Is there a way and does it make sense to allow an API like the VC API to start a GNAP flow in the middle? Is that GNAP or is that the VC API?

Dmitri: GNAP and VCAPI can be very complimentary
- VCAPI requires authn (access tokens), getting tokens is out of band so GNAP is a way to do that
- would love to hear from the group whether there's intention to also use it for issuing VC's

Adrian: frame question in terms of delegation, this is the issue in terms of delegation. b/c we have an authentication component to the flow, question becomes "are we going to allow delegation as part of this process?"

Justin: GNAP could be extended to have VC's issued by the AS and presented to the AS. Already does "subject information" as identifiers and assertions. VCs could maybe be an assertion or possibly something else.